I'm having the same issue. The alert grouping by email seems to be grouping alerts from more than one agent. This also affects granular email alerting. For example, I have setup an extra recipient for this one single agent, and even though the subject line of the alert wasn't for that agent, it did include one alert from the correct agent and the email was sent to both of us. Not a huge problem, it just gets a little confusing.
On Fri, Mar 27, 2009 at 6:10 AM, Delahunty, Mark <[email protected]>wrote: > > Is this normal? If so can I make OSSEC send emails containing alerts for > only one server? > > Here's an (anonymized) example from 1 email this morning: > > I noticed the Subject: always refers to the last notification contained > in the email > > ------------ snip > Subject: OSSEC Notification - (xxil9) 123.123.111.119 - Alert level 10 > > OSSEC HIDS Notification. > 2009 Mar 27 10:03:18 > > Received From: (xxxdb3) 123.123.111.113->/var/log/messages > Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." > Portion of the log(s): > > Mar 27 10:03:16 xxxdb3 ntpd[1941]: frequency error 512 PPM exceeds > tolerance 500 PPM > > > > --END OF NOTIFICATION > > > > OSSEC HIDS Notification. > 2009 Mar 27 10:03:24 > > Received From: (xxil9) 123.123.111.119->/var/log/maillog > Rule: 3158 fired (level 10) -> "Multiple pre-greetings rejects." > Portion of the log(s): > ---------- snip > > > Thanks > > Mark Delahunty > University College Cork > Cork > Ireland > >
